# Copyright 2022 99cloud
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# flake8: noqa
# fmt: off

from skyline_apiserver.schemas.policy_manager import Operation

from . import base

list_rules = (
    base.Rule(
        name="context_is_admin",
        check_str=("role:admin"),
        description="No description",
    ),
    base.Rule(
        name="admin_or_owner",
        check_str=("is_admin:True or project_id:%(project_id)s"),
        description="No description",
    ),
    base.Rule(
        name="admin_api",
        check_str=("rule:context_is_admin"),
        description="No description",
    ),
    base.Rule(
        name="admin_or_user",
        check_str=("is_admin:True or user_id:%(user_id)s"),
        description="No description",
    ),
    base.Rule(
        name="cluster_user",
        check_str=("user_id:%(trustee_user_id)s"),
        description="No description",
    ),
    base.Rule(
        name="deny_cluster_user",
        check_str=("not domain_id:%(trustee_domain_id)s"),
        description="No description",
    ),
    base.APIRule(
        name="bay:create",
        check_str=("rule:deny_cluster_user"),
        description="Create a new bay.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/bays")],
    ),
    base.APIRule(
        name="bay:delete",
        check_str=("rule:deny_cluster_user"),
        description="Delete a bay.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/bays/{bay_ident}")],
    ),
    base.APIRule(
        name="bay:detail",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of bays with detail.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/bays")],
    ),
    base.APIRule(
        name="bay:get",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve information about the given bay.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/bays/{bay_ident}")],
    ),
    base.APIRule(
        name="bay:get_all",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of bays.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/bays/")],
    ),
    base.APIRule(
        name="bay:update",
        check_str=("rule:deny_cluster_user"),
        description="Update an existing bay.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/bays/{bay_ident}")],
    ),
    base.APIRule(
        name="baymodel:create",
        check_str=("rule:deny_cluster_user"),
        description="Create a new baymodel.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/baymodels")],
    ),
    base.APIRule(
        name="baymodel:delete",
        check_str=("rule:deny_cluster_user"),
        description="Delete a baymodel.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/baymodels/{baymodel_ident}")],
    ),
    base.APIRule(
        name="baymodel:detail",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of baymodel with detail.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/baymodels")],
    ),
    base.APIRule(
        name="baymodel:get",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve information about the given baymodel.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/baymodels/{baymodel_ident}")],
    ),
    base.APIRule(
        name="baymodel:get_all",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of baymodel.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/baymodels")],
    ),
    base.APIRule(
        name="baymodel:update",
        check_str=("rule:deny_cluster_user"),
        description="Update an existing baymodel.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/baymodels/{baymodel_ident}")],
    ),
    base.APIRule(
        name="baymodel:publish",
        check_str=("rule:admin_api"),
        description="Publish an existing baymodel.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/baymodels"), Operation(method="PATCH", path="/v1/baymodels")],
    ),
    base.APIRule(
        name="certificate:create",
        check_str=("rule:admin_or_user or rule:cluster_user"),
        description="Sign a new certificate by the CA.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/certificates")],
    ),
    base.APIRule(
        name="certificate:get",
        check_str=("rule:admin_or_user or rule:cluster_user"),
        description="Retrieve CA information about the given bay/cluster.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/certificates/{bay_uuid/cluster_uuid}")],
    ),
    base.APIRule(
        name="certificate:rotate_ca",
        check_str=("rule:admin_or_owner"),
        description="Rotate the CA certificate on the given bay/cluster.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/certificates/{bay_uuid/cluster_uuid}")],
    ),
    base.APIRule(
        name="cluster:create",
        check_str=("rule:deny_cluster_user"),
        description="Create a new cluster.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clusters")],
    ),
    base.APIRule(
        name="cluster:delete",
        check_str=("rule:deny_cluster_user"),
        description="Delete a cluster.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:delete_all_projects",
        check_str=("rule:admin_api"),
        description="Delete a cluster from any project.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:detail",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of clusters with detail.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters")],
    ),
    base.APIRule(
        name="cluster:detail_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve a list of clusters with detail across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters")],
    ),
    base.APIRule(
        name="cluster:get",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve information about the given cluster.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:get_one_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve information about the given cluster across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:get_all",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of clusters.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/")],
    ),
    base.APIRule(
        name="cluster:get_all_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve a list of all clusters across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/")],
    ),
    base.APIRule(
        name="cluster:update",
        check_str=("rule:deny_cluster_user"),
        description="Update an existing cluster.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:update_health_status",
        check_str=("rule:admin_or_user or rule:cluster_user"),
        description="Update the health status of an existing cluster.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:update_all_projects",
        check_str=("rule:admin_api"),
        description="Update an existing cluster.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_ident}")],
    ),
    base.APIRule(
        name="cluster:resize",
        check_str=("rule:deny_cluster_user"),
        description="Resize an existing cluster.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/resize")],
    ),
    base.APIRule(
        name="cluster:upgrade",
        check_str=("rule:deny_cluster_user"),
        description="Upgrade an existing cluster.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/upgrade")],
    ),
    base.APIRule(
        name="cluster:upgrade_all_projects",
        check_str=("rule:admin_api"),
        description="Upgrade an existing cluster across all projects.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clusters/{cluster_ident}/actions/upgrade")],
    ),
    base.APIRule(
        name="clustertemplate:create",
        check_str=("rule:deny_cluster_user"),
        description="Create a new cluster template.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="clustertemplate:delete",
        check_str=("rule:admin_or_owner"),
        description="Delete a cluster template.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:delete_all_projects",
        check_str=("rule:admin_api"),
        description="Delete a cluster template from any project.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:detail_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve a list of cluster templates with detail across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="clustertemplate:detail",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of cluster templates with detail.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="clustertemplate:get",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve information about the given cluster template.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:get_one_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve information about the given cluster template across project.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:get_all",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of cluster templates.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="clustertemplate:get_all_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve a list of cluster templates across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="clustertemplate:update",
        check_str=("rule:admin_or_owner"),
        description="Update an existing cluster template.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:update_all_projects",
        check_str=("rule:admin_api"),
        description="Update an existing cluster template.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clustertemplate/{clustertemplate_ident}")],
    ),
    base.APIRule(
        name="clustertemplate:publish",
        check_str=("rule:admin_api"),
        description="Publish an existing cluster template.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clustertemplates"), Operation(method="PATCH", path="/v1/clustertemplates")],
    ),
    base.APIRule(
        name="federation:create",
        check_str=("rule:deny_cluster_user"),
        description="Create a new federation.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/federations")],
    ),
    base.APIRule(
        name="federation:delete",
        check_str=("rule:deny_cluster_user"),
        description="Delete a federation.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/federations/{federation_ident}")],
    ),
    base.APIRule(
        name="federation:detail",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of federations with detail.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/federations")],
    ),
    base.APIRule(
        name="federation:get",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve information about the given federation.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/federations/{federation_ident}")],
    ),
    base.APIRule(
        name="federation:get_all",
        check_str=("rule:deny_cluster_user"),
        description="Retrieve a list of federations.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/federations/")],
    ),
    base.APIRule(
        name="federation:update",
        check_str=("rule:deny_cluster_user"),
        description="Update an existing federation.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/federations/{federation_ident}")],
    ),
    base.APIRule(
        name="magnum-service:get_all",
        check_str=("rule:admin_api"),
        description="Retrieve a list of magnum-services.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/mservices")],
    ),
    base.APIRule(
        name="quota:create",
        check_str=("rule:admin_api"),
        description="Create quota.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/quotas")],
    ),
    base.APIRule(
        name="quota:delete",
        check_str=("rule:admin_api"),
        description="Delete quota for a given project_id and resource.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/quotas/{project_id}/{resource}")],
    ),
    base.APIRule(
        name="quota:get",
        check_str=("rule:admin_or_owner"),
        description="Retrieve Quota information for the given project_id.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/quotas/{project_id}/{resource}")],
    ),
    base.APIRule(
        name="quota:get_all",
        check_str=("rule:admin_api"),
        description="Retrieve a list of quotas.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/quotas")],
    ),
    base.APIRule(
        name="quota:update",
        check_str=("rule:admin_api"),
        description="Update quota for a given project_id.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/quotas/{project_id}/{resource}")],
    ),
    base.APIRule(
        name="stats:get_all",
        check_str=("rule:admin_or_owner"),
        description="Retrieve magnum stats.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/stats")],
    ),
    base.APIRule(
        name="nodegroup:get",
        check_str=("rule:admin_or_owner"),
        description="Retrieve information about the given nodegroup.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroup/{nodegroup}")],
    ),
    base.APIRule(
        name="nodegroup:get_all",
        check_str=("rule:admin_or_owner"),
        description="Retrieve a list of nodegroups that belong to a cluster.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/")],
    ),
    base.APIRule(
        name="nodegroup:get_all_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve a list of nodegroups across projects.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/")],
    ),
    base.APIRule(
        name="nodegroup:get_one_all_projects",
        check_str=("rule:admin_api"),
        description="Retrieve infornation for a given nodegroup.",
        scope_types=["project"],
        operations=[Operation(method="GET", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
    ),
    base.APIRule(
        name="nodegroup:create",
        check_str=("rule:admin_or_owner"),
        description="Create a new nodegroup.",
        scope_types=["project"],
        operations=[Operation(method="POST", path="/v1/clusters/{cluster_id}/nodegroups/")],
    ),
    base.APIRule(
        name="nodegroup:delete",
        check_str=("rule:admin_or_owner"),
        description="Delete a nodegroup.",
        scope_types=["project"],
        operations=[Operation(method="DELETE", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
    ),
    base.APIRule(
        name="nodegroup:update",
        check_str=("rule:admin_or_owner"),
        description="Update an existing nodegroup.",
        scope_types=["project"],
        operations=[Operation(method="PATCH", path="/v1/clusters/{cluster_id}/nodegroups/{nodegroup}")],
    ),
)

__all__ = ("list_rules",)
